From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 29618 invoked from network); 16 Aug 2021 04:48:03 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 16 Aug 2021 04:48:03 -0000 Received: from pb-smtp21.pobox.com ([173.228.157.53]) by 1ess; Sun Aug 15 03:24:19 -0400 2021 Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id C2499141E35 for <9front@9front.org>; Sun, 15 Aug 2021 03:22:06 -0400 (EDT) (envelope-from unobe@cpan.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=message-id :to:subject:date:from:mime-version:content-type :content-transfer-encoding; s=sasl; bh=aaUePTaqXfuXszvyJJ9Lf4MNM SYhfGZfpoTcCvtmIek=; b=BXjLEMx70vLm/8B52/m1TgSDyfvZwwUEMbtYNSTz/ hoVVc/EKtNXM7W9fJC9aN5QpkaWrzN2x0TO9s3nkJyzf7FevewyFeoPf4s26aecJ xzCNwP/RylXlk5FZezA1Hz0sXq6418Fv+wMF8FjHOWVVmEdLxYCeo3C+/r7Mw7NA fk= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id AC793141E34 for <9front@9front.org>; Sun, 15 Aug 2021 03:22:06 -0400 (EDT) (envelope-from unobe@cpan.org) Received: from strider (unknown [47.34.135.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id E5A55141E33 for <9front@9front.org>; Sun, 15 Aug 2021 03:22:03 -0400 (EDT) (envelope-from unobe@cpan.org) Message-ID: <148FA590AEF1CB246DB367302A906D39@smtp.pobox.com> To: 9front@9front.org Date: Sun, 15 Aug 2021 00:22:01 -0700 From: unobe@cpan.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: 7D5C74DC-FD99-11EB-B54D-FA9E2DDBB1FC-09620299!pb-smtp21.pobox.com List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: plugin service Subject: [9front] tinc(8) protocol now at 1.0.36? Reply-To: 9front@9front.org Precedence: bulk tinc(8) states that the peer VPN protocol as of version 1.0.32 is implemented. I've found https://github.com/gsliepen/tinc/tree/master/doc , which appears to describe the protocol. Nothing has changed substantially in those files for years. https://www.tinc-vpn.org/documentation/Technical-information.html#Technical-information doesn't appear to diverge from the github docs. The software implementation of tinc.org, however, is now at version 1.0.36 and there have been a few bugs that have been reported since tinc(8) was added to 9front: https://www.tinc-vpn.org/security/ shows two oracle attacks, one timing attack, and one MITM attack. I can't tell from the 9front logs if the CVEs have been reviewed to determine if the 9front version is susceptible, so am trying to spelunk the code and I don't think it is: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16758 -- 9front's version isn't susceptible to the MITM: /sys/src/cmd/ip/tinc.c:915 doesn't allow it. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16737 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16738 -- 9front's version isn't really susceptible to what is described. I don't see in metaauth how CHAL_REPLY could be sent inadvertently. METAAUTH won't allow unknown ciphers/digests, including NULL. As for the # of connections, that is managed when ip/tinc starts. cinap is the only one who has committed changes to tinc(8). So maybe this is really a question for cinap: can 9front's version be advertised as supporting 1.0.36? If so, I've attached a patch that updates the man page and also a couple typos I saw in the code: Summary: Update tinc(8) man page to: 1. state the implementation aligns with 1.0.36 of tinc.org; 2. use same hostname as mentioned in usage line. Fix typos in tinc.c. --- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/man/8/tinc +++ /sys/man/8/tinc @@ -29,7 +29,7 @@ .SH DESCRIPTION Tinc implements the mesh peer to peer VPN protocol from .I https://www.tinc-vpn.org/ -as of version 1.0.32. Within a tinc VPN one can reach all +as of version 1.0.36. Within a tinc VPN one can reach all the subnets of all hosts within the network even when not directly connected to the owning host of the subnet. .PP @@ -110,7 +110,7 @@ .TP .B -n Sets our hostname to -.IR myhost . +.IR myname . .SH "SEE ALSO" .IR rsa (8), .IR ip (3) --- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/src/cmd/ip/tinc.c +++ /sys/src/cmd/ip/tinc.c @@ -76,7 +76,7 @@ Host *src; Host *dst; Edge *next; /* next edge on src */ - Edge *rev; /* reverse drection edge */ + Edge *rev; /* reverse direction edge */ uchar ip[IPaddrlen]; int port; @@ -1135,7 +1135,7 @@ if(n != 6 || atoi(f[0]) != META_KEY || strlen(f[5]) != 2*n2) return -1; if(atoi(f[1]) != EVP_AES256CFB || atoi(f[2]) != EVP_SHA256){ - fprint(2, "%s uses unknown cipher/digest agorithms: %s %s\n", + fprint(2, "%s uses unknown cipher/digest algorithms: %s %s\n", c->host->name, f[1], f[2]); return -1; }